Archive for February, 2010

February 15, 2010

Information Security Management System (ISMS) – ISO 27001

Information Security Management System (ISMS) is a management system based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. ISO/IEC 27001 is a standard for information security that focuses on an organization’s ISMS.

Objective of ISMS

    Information security is the protection of information to ensure:

• Confidentiality: ensuring that the information is accessible only to those authorised to access it.
• Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.
• Availability: ensuring that the information is accessible to authorized users when required.

Why should I implement ISO 27001 ISMS?

• Certification of a management system brings several advantages. It gives an independent assessment of your organization’s conformity to an international standard that contains best practices from experts for ISMS.
• Meeting legislative and regulatory requirements
• As a measure and independent evidence that industry best practices are being followed.
• As part of a corporate governance program

Process for implementing ISO 27001
1. Define an information security policy
2. Define scope of the information security management system
3. Perform a security risk assessment
4. Manage the identified risk
5. Select controls to be implemented and applied
6. Prepare as SoA (a “statement of applicability”)

The Certification Process
 Guidelines – ISO/IEC 27002:2007
 Certification – ISO/IEC 27001:2005
 Stage 1 : Documentation Review & evaluate client’s readiness
 Stage 2 : Implementation audit & evaluate effectiveness of client’s systems
 Lead Auditor’s recommendation to certify
 Certificate issued by certification/registration body
 Surveillance
 Periodic review audits (6 months interval)
 Re-certification (after 3 years)

February 8, 2010

Penetration Testing

Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.

Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.

Pen test strategies include: –

Targeted testing

Targeted testing is performed by the organization’s IT team and the penetration testing team working together. It’s sometimes referred to as a “lights-turned-on” approach because everyone can see the test being carried out.

External testing

This type of pen test targets a company’s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access.

Internal testing

This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

Blind testing

A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

Double blind testing

Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization’s security monitoring and incident identification as well as its response procedures.

Penetration Testing Tools
1) Nmap – Worlds Best Port Scanner
2) Nessus – Vulnerability Scanner
3) Metasploit – Exploit framework
4) Pass-The-Hash – Who needs passwords?
5) Hydra – Brute force password guessing
6) Cain & Abel – The ultimate MITM utility
7) Wireshark – network protocol analyzer
8) Snort – traffic analysis and packet logging on IP networks
9) Netcat – reads and writes data across TCP or UDP network connections
10) Nikto – web server scanner which performs comprehensive tests against web servers

February 2, 2010

Books to Change Life

This is a collection of book name that changed or influenced people life. I prepared this on the basis of a Linkedin discussion. This can be helpful for reading.

Srl. No. Book Author
1 Quran / Bible / Gita Quran / Bible / Gita
2 How to Win Friends and Influence People Dale Carneg
3 7 Habits of highly effective people Stephen MR Covey 
4 The speed of trust  Stephen MR Covey 
5 The Secret  Rhonda Byrne 
6 Who will Cry when you Die   Robin Sharma
7 Our Iceberg is Melting  John Kotter
8 Rich dad poor dad  Robert Kiyosaki
9 The Greatness Guide  Robin Sharma
10 Don’t Worry About Tomorrow  Dale Carnegie
13 The Goal Eliyahu M Goldratt 
14 The Saint, The Surfer and The CEO Robin Sharma
15 Awaken the giant within  Anthony Robbins
16 The Profit Zone Adrian Slywotzky
17 Creating a World Without Poverty M Yunus
18 Anatomy of the Spirit Caroline Myss
19 Seat of the Soul  Gary Zukav
20 The Palace of Nowhere James Finley
21 Values Shift Brian Hall
22 The Palm at the End of the Mind Wallace Stevens
23 Creating a world without poverty  Muhammad Yunus
24  Find Your Own Way In Difficult Time David Rascott 
25 Execution  Bossidy & RamCharan
26 Built to last  Jim Collin
27 Good to great   Jim Collins 
28  In Search of excellence Thomas
29  Awakening the entrepreneur within  Michael Gerber
30 Fountainhead   Ayn Rand 
31 Many Lives Many Masters  Brian Weiss’s
32 The Power of Now Eckhard Tolle
33  Blink  Malcolm Gladwell 
34  You Can Negotiate Anything Herb Cohen
35  Old Path White clouds  Thich Nhat Hanh 
36  Success Principles’  Jack Canfield 
37  Notes to Myself  Hugh Prather 
38  The Same Old Story  Ivan Goncharov 
39  Atlas Shrugged  Ayn Rand 
40  Law of Attraction  Michale Loussiar
41  Out of my comfort zone  Steve Waugh
42  When Genius Failed Roger Lowenstein 
43 The Making of a Financial Legend   Paul Volcker: 
44  PURPOSE DRIVEN LIFE Pastor Rick Warren 
45  WHAT YOU SAY IS WHAT YOU GET  Pastor Don Gossett 
46  WHAT’S ON IN YOUR MIND Merlin Carothers
47  The Google Story David Vise 
48  The Palace of Illusions  Chitra Banerjee Divakaruni
49  Emotional Intelligence Daniel Goldman
50  Unlimited Power Anthony Robbins 
51  Awaken the Giant Within Anthony Robbins 
52  Getting Things Done David Allen 
53  Lateral Thinking Edward Debono 
54 Embracing Change   Tony Buzan’s
55  Good to great  Jim Collins
56  FIRST THINGS FIRST  Stephen Covey 
58  WHO MOVED MY CHEESE,  Spencer Johnson 
59  You can heal your life  Louis L Hay 
60  The celestine Prophecy  James Redfield 
61  The truth shall set you free and
The robot’s rebellion 
David Icke 
62  Mutant Message   Marlo Morgon
63 Johanthan Livingston seagull  Richard Bach 
64 The Bridge forever Richard Bach
65 Future Shock   Alvin Toffler
66 The range of works   Bertrand Russell
67 A Passion for Excellence  Tom Peters 
68 The Seven Spiritual Laws of Success  Deepak Chopra
69 Make Your Site Sell  Ken Evoy
70 Brief history of time  Stephen Hawking
71 How to Stop Worrying and Start Living Dale Carnegie 
72 Worthy human performance  Thomas gilbert
73 cultures of organisation  Gret Hopstead
74 Love is the Killer App  Thomas Sanders 
75 Rules of the Red Rubber Ball  Kevin Caroll 
76 Outliers  Malcolm Gladwell 
77 Talent is Overrated  Geoff Colvin
78 The Secret  Rhonda Byrne
79 Magic of thinking Big  David Schwartz
80 Eat that Frog Brian Tracy
81 Little things Big results Roger Fritz
82 The business School Robert  Kiyosaki
83 Are You Ready to Succeed?  Srikumar Rao
84 Improving performance  Rummler and Brache
85 2Developing management skills  Whetton & Cameron
86 Games people Play  Eric Berne
87 The 3rd Wave Alvin Toffler
88 Maverics at Work William Taylor
89 Circle of Innovation  Tom Peters 
90 Re Imagine  Tom Peters
91 Al Chemist   Paulo Coelho
92 Wings of Fire APJ Kalam
93 Six thinkng Hats  De bono
94 The Man who sold the ferrari   Robin Sharma
95 Execution Chuck Bossidy
96 In Search of excellence Tom Peters
97 Blue Ocean strategy Kim and Mauborgne
98 How to get whatever you want Kopmeyers
99 The power of positive thinking  Norman Vincent Peale
100 The Magic of Thinking Big   David J Schwartz
101 Tough Times Never Last,
But Tough People do 
Robert H Schuller 
102 Richest Man in Babylon  George S Clason
103 Who Moved my Cheese  Spencer Johnson
104 The 360 Degree Leader John C
105 The One Minute Millionnaire  Robert Allen